Authorized quantum computation 



Yu Tanaka 

Department of Physics, Graduate School of Science, University of Tokyo, Tokyo 113-0033 Japan 
Advanced Materials Laboratories, Sony, Kanagawa 243-0021 Japan 

Mio Murao 

Department of Physics, Graduate School of Science, University of Tokyo, Tokyo 113-0033 Japan 
PRESTO, JST, Kawaguchi, Saitama 332-0012, Japan 
Institute for Nano Quantum Information Electronics, University of Tokyo, Tokyo 153-8505, Japan 

(Dated: March 12, 2009) 

We present authorized quantum computation, where only a user with a non-cloneable quantum 
authorization key can perform a unitary operation created by an authenticated programmer. The 
security of our authorized quantum computation is based on the quantum computational complexity 
problem of forging the keys from an obfuscated quantum gate sequence. Under the assumption of the 
existence of a sufficiently-random gate shuffling algorithm, the problem is shown to be in the NQP 
(Non-deterministic Quantum Polynomial)-hard class by reducing it to a NQP-Complete problem, 
the exact non-identity check problem. Therefore, our authorized quantum computation can be 
computationally secure against attacks using quantum computers. 

PACS numbers: 03.67.Ac, 03.67.Lx, 03.67.Dd 



Consider the world once quantum computers exist and 
are widely used. In this world, unitary operations are the 
programs of quantum computers. For the programmer of 
the quantum programs, they are important intellectual 
properties and it is important to protect the copyright 
of the programs. On the other hand, for the user of the 
program, they do not need to know about the details of 
the program, they just want to perform a task, as long 
as the created by the authenticated programmer. 

Such a situation can be solved if the programmer en- 
codes a program so that the original program is only 
performable for users with non-cloneable authorization 
keys, distributes the encoded programs via an authcn- 
ticator, and sends the authorization keys directly to the 
users. Then, anyone can download the encoded programs 
via the authenticator, which are guaranteed to have been 
made by the programmer, but it is performable only by 
the authorized user. In this letter, we propose a scheme of 
authorized quantum computation that allows this task in 
quantum computational security, as a possible new quan- 
tum cryptographic primitive. 

In our scheme, we employ both quantum advantages 
and quantum limitations for its security. To protect the 
original programs from unauthorized users, the encoding 
process of the program is two- fold. One is an encryp- 
tion process of introducing quantum authorization keys 
so that computation is not possible without using the 
correct key. The keys are unknown quantum states for 
any users (even for authorized users) and their anonymity 
and non- clone ability is ensured by quantum mechanics. 
The other is an obfuscation process that hides the basis 
of the keys in the encoded program. It is known that 
classically, obfuscating programs is impossible [IJ. For 
quantum settings, existence of obfuscation with the help 
of quantum states is an open problem [2]. In this letter, 
by introducing the concept of gate shuffling algorithms. 



we show a sufficient condition for the obfuscation process 
where forging the quantum authorization keys is compu- 
tationally difficult even using quantum computers. We 
stress that we do not obfuscate the quantum program it- 
self, but the identity of the quantum authorization keys. 

We note that if wc do not require the authenticity 
of the program, blind quantum computation |3], which 
aims to perform a unitary operation without revealing 
the identity of input states, can be used for similar 
tasks. Blind quantum computation is a two-party proto- 
col based on informational security and it requires multi- 
ple quantum/classical communications during computa- 
tion. In contrast, our authorized quantum computation 
is a semi-public protocol based on computational secu- 
rity to ensure the authenticity of the program and no 
communication is required during computation. 

We first present a construction of authorized quantum 
computation to sketch our scheme. We regard unitary 
operations to be quantum programs. Note that we con- 
sider only polynomial quantum programs, namely, uni- 
tary operations represented by an array of a polyno- 
mial number p{n) of elementary unitary gates. A uni- 
tary operation U is described by a polynomial classi- 
cal bit sequence {0, 1}*. We call this classical informa- 
tion as a quantum gate sequence of U and denote it by 
x{U). (Throughout this letter, we use capital letters to 
represent unitary operations and small letters to repre- 
sent their quantum gate sequences.) Due to the non- 
uniqueness of the gate sequence representation for uni- 
tary operations, we consider a set of all quantum gate 
sequences for a unitary operation U consisting of at most 
p{n) elementary gate arrays and denote it by 5p(„)(?7), 
or simply g{U) if the specification of a function p{n) is ir- 
relevant. Since calculations of the matrix representation 
of a unitary operation require exponential computational 
power in terms of n, we have to rely on the polynomial 
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gate sequence representation of unitary operations when 
n is large. Now consider a programmer who wants to 
encode a unitary operation Ui (where i is an index for 
specifying the unitary operation) acting on a n-qubit in- 
put Hilbert space Hf„;„,. 

Step 1: The programmer extends the Ui into another 
unitary operation G acting on a larger Hilbert space 
adding a m-qubit Hilbert space Ti®^ of 
quantum authorization keys in front of the input Hilbert 
space. (We often simply denote the quantum authoriza- 
tion key as the key.) This extension is similar to the 
programmable quantum gate arrays proposed by Nielsen 
and Chuang [4j . The extended unitary operator G trans- 
forms G{\i) ® \ip)) = \i) (g) Ui \ip), where {Ui} is a set of 
P = 2^ (1 < i < 2'^ <C 2™) unitary operations for an ar- 
bitrary input state \ip) G H^^^^, and {|z) G HfJ^;} is the 
corresponding key states in a computational basis speci- 
fied by a binary bit sequence {0, l}'^. The number of the 
key qubits k should be taken to be of order log(n) for 
restricting the total gate number of G to be in polyno- 
mial of n. Thus the (m — fc)-qubit dummy space 'H^^^-^J'y 
is introduced in the key space. A construction of G for 
{Ui} is shown in Fig. [l] where Mi and M2 are random 
unitary operations acting on the dummy qubit space. 

Step 2: By applying random unitary operations L and 
R on only Ufj^ as G ^ G' ^ {L ® I)G{R ® I) where / 
denotes an identity operator of an appropriate dimension, 
we create a key state \(f)i) = \i) satisfying 

G'{\cj>,)®W))^\4>[)®U,\^), (1) 

where \4>'j) — L \ (f)i) is the key state after performing G". 
The programmer issues only one key for each authorized 
user. This step is the encryption process of the keys. 

Step 3: The essence of our obfuscation process is in the 
non-uniqueness of the quantum gate sequence represen- 
tation for unitary operations. The programmer trans- 
forms the series of quantum gate sequences x{G') = 
x{R)x{G)x{L) into another obfuscated quantum gate se- 
quence x'{G'), where extracting information of R and L 
from x'{G') is not possible in a polynomial time even 
using quantum computers. We call this transformation 
of quantum gate sequences as quantum gate shuffling. 
Later, we present a sufficient condition for a quantum 
gate shuffling algorithm for performing the obfuscation 
process. 

Step 4- Classical information of the obfuscated gate se- 
quence x'{G') is delivered to the trusted third party (au- 
thenticator) by the programmer. It is authenticated and 
announced publicly. On the other hand, the program- 
mer directly sends the key \4>i) to an authorized user via 
a quantum channel. A pair of an authenticated public 
program x' and a set of authorization private keys 
is created. 

Step 5: The user performs a unitary operation G" de- 
scribed by x'{G') on the joint state of the key and 
an input state \ip) of user's choice. Then the state Ui \lp) 
is obtained. If the user does not use the correct key 10,^) 
and performs G", the resulting joint state cannot be a 




G' = (i®/)G(Jf®/) 



FIG. 1: A construction of gate sequences for tlie unitary op- 
erations G and G' . See the text for notations. 

desired state and is highly likely to be entangled. The 
security of our scheme will be discussed later. 

We note that by performing the reverse quantum gate 
sequence using the used key state the reverse unitary 
operation f/J can be also performed and the original key 
is reg ainedby G"^(|<?!>^) «) |(^)) = (g)t// |^). There- 
fore, we can recycle the quantum authorization key as 
long as it keeps coherence. 

In this scheme, security depends on the obfuscation 
process given in Step 3. To present a sufficient condition 
for obfuscation, we investigate strategies for a malicious 
user. Eve. We consider that Eve wants to perform the 
original unitary operation Ui without using the quantum 
authorization key \4ii) issued by the programmer. A pow- 
erful Eve may also be able to tap the quantum channels 
and steal other N keys {\4>j)}j=i....^N where j ^ i, and 
analyze the quantum gate sequence x'{G') to obtain a 
quantum gate sequence of Ui. If the key is stolen, there 
is no way to prevent Eve from performing Ui , but we need 
to prevent Eve creating an unauthorized copy of the key. 
We assume that Eve may destroy extra keys for 
j ^ i, but does not destroy the key \4>i) for performing Ui. 
We regard that the key should be kept as the evidence of 
the authorized user. 

Thus, we formally define authorized quantum com- 
putation implementing 2^ unitary operations {Ui} on 
'^fnput existence of a quantum gate sequence 

x'{G') and quantum authorization keys {|'/>i)} satisfying 
the following two conditions. 1. G" is a unitary operation 
on an extended Hilbert space satisfying Eq. ^ 

for an arbitrary input state \ip) € T^f^^^^. 2. There is no 
polynomial quantum algorithm A such that 

A:{x'{G'), \<p,)(^\<^,,))^iy{F'), 1^.)) (2) 

where | — \(t>ji) ■ ■ ■ (i> Ifpiiv) is a product state of N 
keys {ipf = ji- ■ ■ Jn G {0, l}*^ ) and y{F') is a quantum 
gate sequence of a unitary operation F' , which allows Ui 
to be performed by using a forged key state 1^/"^/^) € H®'' 
(for some integer I) as 

F'm.)^M)^K'H)^U.\f)^ (3) 

for an arbitrary \^) e Hf„"p„, and (V^^,J e,> = S,,- 

Next, we investigate quantum gate shuffling algorithms 
for the obfuscation process. Among algorithms mapping 
an element of <7p(„)(J7) to another element of gq(n)iU) 
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where p{n) < q{n), we define a completely-random shuf- 
fling to be an algorithm randomly obtaining a quantum 
gate sequence from all possible quantum gate sequences 
of gq[n){U). To understand the power of random shuf- 
fling, we study restricted quantum gate sequences de- 
noted by z{Ci) of a controlled identity operation C/ on 
•^»(n+i) constructed by a quantum gate sequence x{I). 
For a given polynomial quantum gate sequence x{U) of a 
general unitary operation U on Ti^"', we can always con- 
struct a corresponding quantum gate sequence z{Cu) of 
a controlled unitary operation Cj/ on 7Y'^("+i) by adding 
a control qubit in front of original qubits, replacing all 
the gate elements by controUed-gate operations and fur- 
ther decomposing them into elementary gate operations. 
This procedure can be completed in polynomial steps in 
|a;(C/)|. Note that the restricted quantum gate sequence 
z{Ci) can be also constructed from x(e'^/).[5] 

We consider that a quantum gate sequence x(I) e 
ffp(n) (I) is given by a non-trivial combination of elemen- 
tary gates and we further apply a quantum gate sequence 
of a unitary operation V acting only on the control qubit 
(the first qubit) Hilbert space Ti. control- We compare the 
quantum gate sequences of {V (g) I)Ci and Ci{V (g) /). 
If there exists a random shufiling algorithm in polyno- 
mial time, both sets are given by g{V (S) I) and they are 
identical. Thus, after the random shuffling process, we 
cannot distinguish whether the quantum gate sequence 
of V was originally applied from the right-hand side of 
the controlled identity or from the left-hand side. Infor- 
mation of the position of V is lost. This information loss 
is a key idea for our security proof. 

However, the existence of a completely-random gate 
shuffling algorithm in polynomial time is not known and 
it is unlikely. Instead, we introduce a concept of a 
sufficiently-random gate shuffling algorithm. To ensure 
informational indistinguishability of the applied order of 
V on 'Hcontroi , shuffliug algorithms are required that two 
sets of quantum gate sequences obtained by shuffling 
zi = x{V)z{Ci) and Zr = z{Ci)x{V) should be over- 
lapped significantly. Thus we define a sufficiently-random 
gate shufiling algorithm as the following: A gate shuffling 
algorithm S in polynomial time is said to be sufficiently- 
random if for a restricted quantum gate sequence z{Ci) 
constructed from arbitrary x{I) G (7p(„)(/) and a gate se- 
quence x{V) oiV aa TLcontroi, there exists a polynomial 
function q{n) for the number of qubit n such that 

\D{x{V)z{CI))r^V{z{CI)x{V))\ ^ 1 
\V{x{V)z{Ci))^V{z{Ci)x{V))\ \{ny' 

where !'(•) is a distribution obtained by applying S on 
a quantum gate sequence • in polynomial time. 

Note that a sufflciently-random gate shuffling does not 
require a completely-random shuffling from the follow- 
ing reasons. A set of z{Ci) constructed from x{I) E 
9p{n){I) is a subset of 5p(n+i)(-^) and not uniform. Thus, 
'D{x{V)z{Ci)) and T>{z{Ci)x{V)) are not necessarily re- 
quired to be an uniform distribution of 5p(n-i-i)(-^)- Fur- 
ther, q{n) of Eq.Q may depend on z{Ci) and x{V), since 



we require q{ri) to be just a polynomial function. 

By assuming the existence of the sufficiently-random 
gate shuffling algorithm, we prove that it is quantum- 
computationally difficult for Eve to perform a cracking 
algorithm A defined by Eq. Q . We show that the quan- 
tum computational complexity of this task is in NQP 
(Non-deterministic Quantum Polynomial)-hard class by 
reducing it to a NQP-Complete problem, the exact non- 
identity check problem [B] of large unitary gate sequences. 
The exact non-identity check problem is defined by the 
following. Let a: be a quantum gate sequence implement- 
ing a unitary operation U with an ancilla system, decide 
whether U is proportional to the identity operation, i.e., 
U = e'-^I, or not. It is proven in Ref. [6] that computa- 
tional complexity of the exact non-identity check problem 
is NQP-Complete [7J . The class NQP is considered to be 
one of the natural extensions of the class NP to quantum 
computational complexity. 

To apply the algorithm A to the exact non-identity 
check problem, we introduce a modified non-identity 
check problem by extending a quantum gate sequence 
x{U) on into a restricted quantum gate sequence 

z{Cu) on 7Y'*("+i). Then we apply two unitary opera- 
tions Vl and Vr on Ti, (the controlled qubit) from the 
left hand side and the right hand side of Cjj. The result- 
ing operation is written by C[j — (Vl ® I)Cu{Vii ® I). 
Similarly to Eq. (IT]), this operation transforms C[j(|0i) ® 
W)) — Wi) ® U^\lp) for an arbitrary input state \lp) G 
where i € {0,1}, |</),) = Vr^ \i) and = Vl \i) 
for a single-qnhit key state. (Note that [/* denotes the ith 
power U and it is different from Ui) We state the mod- 
ified non-identity check problem as the following: Given 
a quantum gate sequence x{U), decide whether the quan- 
tum gate sequence of C[j is in giGg) = g{VLVR (g) /) or 
g{G[) = g{{VL ^ I)Cu{Vr ® I)) where U^I. 

We investigate the action of the algorithm A on 
a sufficiently-random shuffled gate sequence z'{C[j) G 
'D{z{C'ij)). Since Eq. ^ has to be also satisfied for N key 
states = Vr^ «) ... «) Vr'^ |ijv) for iN = ji ■■■jN e 

{0, 1}^ and linearity of the algorithm, Eq. ^ holds even 
if we replace the key state by any mixture of key states, 

namely, ^ Ej„P»ivJ*«iy> {^^n \ where 

is an arbitrary probability distribution. For the case of a 
unitary operation C[j, the key space Tikey does not con- 
tain the dummy space. Thus, we can replace the mixture 
by a completely mixed state //2^. This means that Eve 
has no advantage from collecting extra keys, instead, she 
just needs to prepare 1/2^ by herself. Thus, we can omit 
|<i>i„) in Eq. ([2| without loss of generality, and the action 
of the algorithm A can be simplified to 

A' ■.{z'iC'u), m^{y{F'), (5) 

Further, Eq. (Is]) can be represented by a CPTP map 

K'm m =T0.> (0.1 ® EyPl'i \y) {y\ ® i^U 

where J2yPx'i — 1 ^^'^ V ^ {^i 1}* is an abbreviation of 
the quantum gate sequence y{F') for a unitary operation 
F' satisfying Eq. ([s]). Using the Steinspring representa- 
tion Kz' can be simulated by a unitary operation Wz' 
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by adding an appropriate dimensional ancilla |0) = |0...0) 
as 

w,.{\<j),) (g> |o)) = 10,) ® ® l'^-^'*^ ® 1^^'*^ 

y 

where (yz'i\y'z'i) — Syy'. 
For U ^ I, note that 

E \/p'oPf''i(2/ly')(€'oie'i)(2/^'o|y'^'i) = 0. (7) 

Applying on 10+) (g) |0), where |0+) = l4(|0) + 
|l))/-\/2, and tracing out the ancilla qubits, we obtain 
r.'(|0+) (0+1) = tr„[PF,,(|0+) (0+1 ® |0) {0\)Wl] = //2. 
Thus, for all Vl and Vu and all z'{Cu) G 9{G'i), we have 

(0,|r,,(|0,)(0,|)|0,) = ,5,,, (8) 
(0+|r,,(|0+)(0+|)|0+)-i/2. (9) 

For [/ = /, note that z{C'j) E g{G'o) = g{VLVR O J) = 
giVLVn' ® /) for Vl + Vl and Vn, ^ Vr' where 
^^L^i?, = Vl'Vr'. For 0(l/g(n + 1)) of the sufficiently- 
random shuffied quantum gate sequences of S{z{C'j)), 
we cannot determine which Vr is taken. This property 
leads a contradiction if we assume that we cannot per- 
form the exact non-identity check problem in polynomial 
time without using a witness state. 

Under the impossibility of the exact non-identity check 
problem, the two probabilities given by Eqs. ([s]) and 
(l9| for U = I should not be different more than 
oil /poly). By taking Vr, = Vl = H, where H de- 
notes a Hadamard operation, we have the probabilities 
(+|r.'(|+)(+|)|+) - 1 and (0|r,,(|0)(0|)|0) = 1/2. 
However, under the existence of sufficiently-random shuf- 
fling, we can also take — V[ = I. To satisfy the im- 
possibility of the exact non-identity check problem, the 
probabilities also have to satisfy (0| rz/(|0) (0|) |0) = 1 
and (+1 F^/d-h) (-H|) l-f') = 1/2, which leads contradic- 
tion to the previous results. 

Thus, if there is an algorithm A, we can decide whether 
an obfuscated quantum gate sequence z'(Cu), obtained 
by using sufficiently-random shuffiing algorithm for a 



given quantum gate sequence x{U), belongs to giGg) 
or g{G'i) by observing the difference in probabilities of 
above two cases by repeating the processes many (but 
polynomial) times. Then it is possible to check that the 
given quantum gate sequence x{U) is an identity or not in 
polynomial time. However, the exact non-identity check 
problem has been shown to be NQP-complete and it is 
hard to solve in polynomial time without using the wit- 
ness state. Therefore, Eve's cracking strategy A, ana- 
lyzing the quantum gate sequence x'{G') obfuscated by 
the sufficiently-random shuffiing algorithm S, is shown to 
be a computationally hard problem even using quantum 
computers. 

In this letter, we propose authorized quantum com- 
putation, where only a user with a non-cloneable quan- 
tum authorization key can perform a unitary operation 
genuinely created by a programmer. In our scheme, the 
unitary operation is encrypted into another unitary op- 
eration acting on a larger Hilbert space in the form of 
programmable quantum arrays proposed by Nielsen and 
Chuang. Further, the quantum gate sequence of the en- 
crypted unitary operation is obfuscated by a sufficiently- 
random shuffiing algorithm and then, it is authenticated 
and publicly announced. To perform the original unitary 
operation, the user needs to obtain an quantum autho- 
rization key, which is provided by the programmer to the 
authorized user, and then performs the obfuscated gate 
sequence together with the key. 

The security of our authorized quantum computation 
is based on the quantum computational complexity of 
forging the quantum authorization key from the obfus- 
cated quantum gate sequence. Under the assumption 
of the existence of a sufficiently-random shuffiing algo- 
rithm, we have shown that the problem is NQP-hard by 
reducing it to a NQP-Complete problem, the exact non- 
identity check problem of large quantum gate sequences. 
Therefore, our authorized quantum computation can be 
computationally secure against attacks using quantum 
computers. 
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